The CCleaner hack was much worse than we thought – here’s how to fix it

A few days ago, cybersecurity experts revealed that a PC security product was backdoored by hackers, which allowed the attackers to install malicious software on compromised computers. Avast, the parent company of the firm that makes CCleaner, said there aren’t any real reasons to worry, and that a safe update is already available to fix the problem. However, a second report from the Talos group says the original attack turned out to be much worse than initially thought, so you may need to take additional steps to protect yourself..

Apparently, the attackers installed a second malware application on the computers it infected, targeting a specific list of domains. According to Talos, tech corporations including HTC, Samsung, Sony, VMWare, Intel, Microsoft, Cisco, Linksys, Google, MSI, and many others are included in the list of targets.

“Interestingly the array specified contains Cisco’s domain (cisco.com) along with other high-profile technology companies,” the security company wrote. “This would suggest a very focused actor after valuable intellectual property.”

The CCleaner backdoor hack affected almost 2.3 million users, but it’s unclear how many of them received the second payload. Talos says that it only discovered 20 machines that received the specialized secondary attack.

In case you think you were affected by the hack either at home or at work, you should update CCleaner to the latest version available, and consider other steps to remove any potential malware that may still reside on your drives. That’s what Talos has recommended all along.

“These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor,” the company said. “These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”

Avast has confirmed the second payload in a blog post that further details the attack:

Finally, it is extremely important to us to resolve the issue on customer machines. For consumers, we stand by the recommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33) and use a quality antivirus product, such as Avast Antivirus. For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted.